cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Databricks integrating with ServiceNow via Lakeflow Connect for data ingestion

LokeshChikuru
Databricks Partner

‎04-16-2026 12:32 PM

Databricks integrating with ServiceNow via Lakeflow Connect for data ingestion and looking for guidance on enforcing integration-user based data access.

Observed behaviour

  • U2M OAuth authentication succeeds when ServiceNow access is granted to the workspace‑logged‑in ADID user however, when using the ServiceNow integration user (even with admin privileges), the source returns no data.
  • When the pipeline is run as the workspace user (ADID) and that user has admin privileges in ServiceNow, data is fetched successfully.

This suggests OAuth is working , but the effective ServiceNow identity differs for running data ingestion in databricks (integration user vs ADID user), impacting data visibility.

Clarification Required:

  1. Is there a supported way to ensure ServiceNow ingestion always uses the U2M integration user regardless of the workspace user running the pipeline?
  2. Does enabling “run as workspace user” force a U2M data access path by design?
  3. What is the recommended production model for ServiceNow ingestion and how should pipelines be configured in databricks ?

Our goal is to use a consistent Databricks recommended best practice for production without relying on human ADID privileges.

Labels:
0 Kudos
5 REPLIES 5

Sumit_7
Honored Contributor III

‎04-16-2026 10:57 PM

@LokeshChikuru Have you checked the docs? This might help - https://docs.databricks.com/aws/en/ingestion/lakeflow-connect/servicenow-troubleshoot#-authenticatio...

0 Kudos

LokeshChikuru
Databricks Partner

‎04-17-2026 05:11 AM

Hi @Sumit_7 

I have reviewed the configuration and do not see any issues with authentication to ServiceNow using the U2M approach (OAuth application with an Integration User).

However, I would like to understand which user context is used when the data fetch occurs during pipeline execution.

Based on my observations, the ServiceNow integration user is not being used during pipeline execution. As a result, no data is returned.
When ServiceNow admin privileges are assigned to the AD user who logged into the Databricks workspace, the ServiceNow table data becomes visible.

0 Kudos

emma_s
Databricks Employee
Databricks Employee

‎04-17-2026 08:23 AM

Hi, looking through some internal resources, it seems most likely to be down to ServiceNow-side ACLs, High Security Settings, or domain/scope restrictions overriding the admin role on system tables the connector queries.

Quick things to check:

- Run this curl as the integration user against ServiceNow: GET /api/now/v2/table/sys_db_object?sysparm_query=name=<your_table>&sysparm_fields=super_class.name. A 403 or empty result confirms it's a
ServiceNow-side ACL issue, not the connector. Test sys_dictionary the same way.
- Compare ACLs on sys_db_object, sys_dictionary, sys_glide_object between a working env (your DEV) and the failing one: that usually surfaces the difference fast.
- Check for glide.security.strict or custom ACLs overriding admin.
- Check whether the integration user is in a different application scope or domain than the data — domain separation isn't overridden by admin role.
- Confirm the admin role is state = "active" on sys_user_has_role, not "requested" or "inactive".
- There's a workspace-level pipeline flag (ingestionPipelineServiceNowNonAdminAccessSchemaFetchEnabled) for least-privilege setups , support can enable it if needed.

If you want to take OAuth identity off the table entirely while you debug, switching the connection to ROPC (integration user's username + password) removes any ambiguity about who's hitting ServiceNow at runtime. ServiceNow connector supports both —
https://docs.databricks.com/aws/en/ingestion/lakeflow-connect/servicenow-source-setup.

If none of the above sorts it, raise a support ticket with the curl response (status + body), the failing pipeline ID, and your workspace ID.

I hope this helps.

Thanks,

Emma

LokeshChikuru
Databricks Partner

a month ago

Hi @emma_s 

I’ve reviewed the setup and wanted to clarify the behavior I’m seeing with the ServiceNow connector and U2M OAuth.

The ServiceNow connection was created successfully using a U2M OAuth integration user, and that integration user has admin permissions in ServiceNow. The connection test succeeds without any issues.

However, during actual data ingestion, it appears that the connector is not executing purely in the context of the U2M OAuth integration user. Instead, ingestion seems to also depend on the Databricks workspace user who created or is running the pipeline. When that workspace user does not have the required ServiceNow permissions, the ingestion returns no data. If ServiceNow permissions are granted to the workspace user, the data becomes visible.

I’m trying to understand whether this behavior is expected with U2M OAuth—i.e., pipelines executing under the workspace user’s identity rather than strictly under the integration user—and whether app‑level (client credentials) authentication is the recommended approach for unattended ingestion scenarios where execution should not depend on individual Databricks users.

Any clarification from the Databricks team or others who have implemented this would be helpful.

 

0 Kudos

LokeshChikuru
Databricks Partner
In response to LokeshChikuru

3 weeks ago

@emma_s 

We have been validating the Databricks–ServiceNow data integration using the Lakeflow ServiceNow connector and wanted to align with recommended and supported approach.

 

Below is a summary of what we have tested so far and where we need clarification.

 

Task 1: Create a ServiceNow Connection using U2M OAuth

 

  • Created an OAuth application in ServiceNow and obtained the Client ID and Client Secret for an integration user also assigned Admin or snc_readonly permissions as well.
  • Configured a ServiceNow connection in Databricks (Lakeflow connector) with:  
  • Client ID
  • Client Secret
  • OAuth Type: U2M
  • Instance URL
  • During connection creation, Databricks redirects to the ServiceNow login page for OAuth authorization. We tested multiple authentication scenarios at this step:

                                                                                                               

Scenario

User Used during OAuth Redirect

Result

Use Case 1

OAuth integration user (Databricks_Integration)

Failed

Use Case 2

Data ingestion pipeline owner

Failed

Use Case 3

Local ServiceNow admin account

Failed

Use Case 4

ServiceNow AD‑synced admin user

Succeeded

 

Only the ServiceNow AD‑synced admin user was able to successfully complete the OAuth authorization and create the connection.

 

Task 2: Create and Run a Data Ingestion Pipeline

 

  • Created a data ingestion pipeline using the above ServiceNow connection.
  • Attempted to run the pipeline:
    • As the pipeline owner
    • As a Service Principal

 

Clarification Needed:

 

To move forward cleanly and align on best practices, we would like Databricks’ guidance on:

 

  1. Which user should authenticate during the OAuth redirect step for ServiceNow authentication when creating the ServiceNow connection?
  2. Which identity is expected to have ServiceNow Admin permissions during pipeline execution:
  • OAuth integration user
  • Pipeline owner

 

0 Kudos
Announcements